Skip to content

Commit 33eb451

Browse files
alistair23keithbusch
alistair23
authored and
keithbusch
committed
nvme-auth: Don't propose NVME_AUTH_DHGROUP_NULL with SC_C
Section 8.3.4.5.2 of the NVMe 2.1 base spec states that """ The 00h identifier shall not be proposed in an AUTH_Negotiate message that requests secure channel concatenation (i.e., with the SC_C field set to a non-zero value). """ We need to ensure that we don't set the NVME_AUTH_DHGROUP_NULL idlist if SC_C is set. Reviewed-by: Hannes Reinecke <[email protected]> Reviewed-by: Chris Leech <[email protected]> Reviewed-by: Christoph Hellwig <[email protected]> Signed-off-by: Kamaljit Singh <[email protected]> Signed-off-by: Alistair Francis <[email protected]> Signed-off-by: Keith Busch <[email protected]>
1 parent 09e8f0f commit 33eb451

1 file changed

Lines changed: 15 additions & 12 deletions

File tree

drivers/nvme/host/auth.c

Lines changed: 15 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,8 @@ static int nvme_auth_set_dhchap_negotiate_data(struct nvme_ctrl *ctrl,
123123
{
124124
struct nvmf_auth_dhchap_negotiate_data *data = chap->buf;
125125
size_t size = sizeof(*data) + sizeof(union nvmf_auth_protocol);
126+
u8 dh_list_offset = NVME_AUTH_DHCHAP_MAX_DH_IDS;
127+
u8 *idlist = data->auth_protocol[0].dhchap.idlist;
126128

127129
if (size > CHAP_BUF_SIZE) {
128130
chap->status = NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
@@ -139,21 +141,22 @@ static int nvme_auth_set_dhchap_negotiate_data(struct nvme_ctrl *ctrl,
139141
data->sc_c = NVME_AUTH_SECP_NEWTLSPSK;
140142
} else
141143
data->sc_c = NVME_AUTH_SECP_NOSC;
144+
chap->sc_c = data->sc_c;
142145
data->napd = 1;
143146
data->auth_protocol[0].dhchap.authid = NVME_AUTH_DHCHAP_AUTH_ID;
144147
data->auth_protocol[0].dhchap.halen = 3;
145-
data->auth_protocol[0].dhchap.dhlen = 6;
146-
data->auth_protocol[0].dhchap.idlist[0] = NVME_AUTH_HASH_SHA256;
147-
data->auth_protocol[0].dhchap.idlist[1] = NVME_AUTH_HASH_SHA384;
148-
data->auth_protocol[0].dhchap.idlist[2] = NVME_AUTH_HASH_SHA512;
149-
data->auth_protocol[0].dhchap.idlist[30] = NVME_AUTH_DHGROUP_NULL;
150-
data->auth_protocol[0].dhchap.idlist[31] = NVME_AUTH_DHGROUP_2048;
151-
data->auth_protocol[0].dhchap.idlist[32] = NVME_AUTH_DHGROUP_3072;
152-
data->auth_protocol[0].dhchap.idlist[33] = NVME_AUTH_DHGROUP_4096;
153-
data->auth_protocol[0].dhchap.idlist[34] = NVME_AUTH_DHGROUP_6144;
154-
data->auth_protocol[0].dhchap.idlist[35] = NVME_AUTH_DHGROUP_8192;
155-
156-
chap->sc_c = data->sc_c;
148+
idlist[0] = NVME_AUTH_HASH_SHA256;
149+
idlist[1] = NVME_AUTH_HASH_SHA384;
150+
idlist[2] = NVME_AUTH_HASH_SHA512;
151+
if (chap->sc_c == NVME_AUTH_SECP_NOSC)
152+
idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_NULL;
153+
idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_2048;
154+
idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_3072;
155+
idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_4096;
156+
idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_6144;
157+
idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_8192;
158+
data->auth_protocol[0].dhchap.dhlen =
159+
dh_list_offset - NVME_AUTH_DHCHAP_MAX_DH_IDS;
157160

158161
return size;
159162
}

0 commit comments

Comments
 (0)